system restore & virus

[Ken Blake]

In

But I wouldn't do this unless there's a problem. Corruption
does
happen occasionally, but not often.

But Ken,how do you know their is a problem unless you try to
use SR
and it doesn't work,but then it is too late.

Yes, but on the other hand if you do it preemptively when you
don't need to, you may delete a restore point that it later turns
out you needed.

Since corruption is relatively rare (although it *does* occur too
often) I'd much rather keep the restore points that exist, so
they are there *if* you need them. If you do it your way, you're
substantially increasing the risk that you won't have the restore
point you need.

 

[Ken Blake]

In

I hate to tell you this, but virus are much more sophisticated
than
you want to believe. ie: One I cleaned weeks ago was nothing
more
than a html link to a web site. The payload was at the website.
The worst offenders now don't do any damage or even let you
know
they're there. You're thinking kiddie scripts that screw with
your OS
and annoy at a minimum.

It hasn't happened to me yet, but it has to others. Virus,
Trojans
I'm not going to debate the semantics. Are now opening up your
drive
space as download space for pirate software, and spam relays to
divert the trail from the one using those virus/backdoors. And
who
knows what's in their bag of tricks now.

Being dial up has it's options. Not on long enough or with a
fast
enough connection to make the backdoor worthwhile.


Again you miss my point. Restoring the point that includes in
the
virus would only be done for the purpose of cleaning of the
virus. If
you restore to a prior point, that'd be a different issue
altogether.
I'm just talking about points inside restore points.
Maybe I'm different, I scan at a minimum weekly. If I were to
find
one and have it reported as included in a hidden restore point,
the
next step to me would be to restore that point, It couldn't be
much
older than a week. And it would seem that it might have
actually been
created by the virus to hide itself.

I'm not going to argue with you any further. I've made my points
and you may believe me or not, as you choose. But you have a very
mistaken view of what a restore point is.

 

[Ken Blake]

In

Hi Bert, I learned something new today
I didn't know that the restore points were linked together with
the
newer ones,

Just as an addition to Bert's excellent advice, that's precisely
the reason why you can't selectively delete Restore Points.

 

[Jim Donovan]

Just a question in case it does happen. I have maybe 6-7 months of restore
points currently and perfectly happy with all of them.

But something I've been reading here. If you get a virus there seems to be
some
sort of opinion to delete all previous restore points if the virus is
found
inside a protected restore point folder.

Wouldn't it make more sense that when you find a virus, if there's any
doubt to
whether it was cleaned or not, to restore the system one restore point
prior to
the virus ?

If you are curious as to what the restore points actually have in them then
go to the System Volume Information folder which store the restore points, I
once had to go in and open a restore point to get rid of ALTNET, and a few
other executables that were garbage. The best way to do this is in safe
mode. I got this info from
http://www.theeldergeek.com/system_volume_information_folder1.htm

Good Luck



Jim

 

[Bert Kinney]

Hi Jim,

I suspect messing with the files within folders in the System Volume
Information folder would cause that restore point to become corrupt,
which in turn would cause any prior restore points to become corrupt
also. Did you experience different results after making modifications
within these folders?

 

[Jim Donovan]

Hi Jim,

I suspect messing with the files within folders in the System Volume
Information folder would cause that restore point to become corrupt, which
in turn would cause any prior restore points to become corrupt also. Did
you experience different results after making modifications within these
folders?

Hello Bert

This all started out because SpyBot S & D and Microsoft Beta could not
remove the ALTNET registry key, and each time I tried an earlier restore
point I would still get this problem, because it was resident in the restore
points, so to clean this I had to delete the restore points(through the
System Restore function) go into safe mode and reclaim the permissions for
the registry and manually delete the keys, but to answer your question I am
not sure if deleting an .exe file in the restore point would corrupt the
file, I am not familiar with restore points being linked with each other, so
to me a simple deletion of the .exe should be okay or so I think, it would
be an interesting experiment though to activley delete files in the restore
point and then do a restore to that point, you can always reverse the
restore I guess if some of the files deleted interferred with the operation
of an application.



Jim

 

[Husky]

Unfortunately you don't know when the corruption occurs, unless or
course a virus scan shows an infection within the System Volume
Information folder. One could also suspect restore point corruption on
a system found to contain malware/spyware. To test system restore,
create a restore point and immediately restore to it.

That wouldn't tell you a thing. I'm under the impression corruption being
referred to here is data corruption on the HD. That's happened several times
with instant power failures while writing to the HD.
Stuff like that can't be planned for or avoided without a battery power supply.
And then it might corrupt the restore points, only if that were the process
being written.

 

[Miss Perspicacia Tick]

In



I'm not going to argue with you any further. I've made my points
and you may believe me or not, as you choose. But you have a very
mistaken view of what a restore point is.

Ken,

Never argue with an idiot. They bring you down to their level then beat you
with experience... ;o) <eg>

 

[Bert Kinney]

Thanks for the information Jim.